[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Representing requestor's identity
> >This sounds less like signed attributes the signer would add to a >particular signature, and more like policies, validity intervals, and name >constraints a CA would add to the DSS Server's certificate. I disagree. It relates to a trust relationship expressed between a requestor and the DSS. It has nothing to do with the DSS certificate. > >In other words, you wouldn't trust the DSS Server to say "I'm authorized to >sign for Bob", you'd trust some higher-level authority to say "the DSS >Server is authorized to sign for Bob". > No. This is incorrect as a legal matter. >So this seems a matter of trust infrastructure that's out of scope for >us. Though once I pointed out that if we wanted DSS services to be able to >have an X.509 cert that says "I'm authorized to sign for *@acme.com", we >could try to convince PKIX that a cert with SubjectName >"delegated-signing-authority@acme.com" should have that semantics, or >something: >http://lists.oasis-open.org/archives/dss/200302/msg00019.html > I totally disagree.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]